Access token not containing SCP (roles) claims via Microsoft Graph

1
votes

I'm using the Microsoft Graph SDK to get an access token for my application (not a user) in order to read from sharepoint. I've been following this document, as well as posted this SO question. The code in the linked SO is the same. I was able to add application permissions as well as grant them (by pressing the button) in azure portal. The problem is, the token that comes back to be used does not contain any roles / scp claims in it. Therefore when using the token, I get the "Either scp or roles claim need to be present in the token" message.

Just to be certain, the only value for my scope that I pass when getting the access token is: https://graph.microsoft.com/.default. I don't pass anything else like Sites.ReadWrite.All (I get an exception if I add that scope anyway). I'm not sure how to continue troubleshooting and any help would be appreciated.

Edit: added code using the graph SDK shown below:

var client = new ConfidentialClientApplication(id, uri, cred, null, new SessionTokenCache());
var authResult = await client.AcquireTokenForClientAsync(new[] {"https://graph.microsoft.com/.default"});
var token = authResult.AccessToken;
var graphServiceClient = new GraphServiceClient(new DelegateAuthenticationProvider(async request => {request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token)}));
var drives = await graphServiceClient.Sites[<sharepoint_host>].SiteWithPath(<known_path>).Drives.Request().GetAsync();
2
c#azureazure-active-directorymicrosoft-graph-apimicrosoft-graph-sdks
Could you add some of the code you are using to get the token?juunas
Its in the other SO thread I linked to but I did edit my post and added the code for convenience hereLos Morales
My app init looks a bit different: var app = new ConfidentialClientApplication(ClientId, Authority, RedirectUri, credentials, null, new TokenCache());juunas
Did not get a chance to check it out yet. I just marked all comments helpful. I'll let you know if/when it gets resolved and if it indeed resolves the issue, I'll make the check.Los Morales
@juunas That was it... I needed to use the overloaded CCA constructor.Los Morales

2 Answers

1
votes

Seems like doing the app initialization in a different way is the solution:

var app = new ConfidentialClientApplication(ClientId, Authority, RedirectUri, credentials, null, new TokenCache());
1
votes

The problem is, the token that comes back to be used does not contain any roles / scp claims in it.

If you can not find any roles/scp claims in the decoded access token. You need to check the permission in Azure portal again.

The decoded access token should contain the roles you granted.

enter image description here

Login Azure portal->click Azure Active Directory->click App registrations(preview)->find your application.

enter image description here

Click your application->API permissions->check if you have grant admin consent for your application. If not, click 'Grant admin consent'.

enter image description here

The code for getting access token. You can find more details here.

    //authority=https://login.microsoftonline.com/{tenant}/
    ClientCredential clientCredentials;
    clientCredentials = new ClientCredential("{clientSecret}");
    var app = new ConfidentialClientApplication("{clientId}", "{authority}", "{redirecturl}",
                                    clientCredentials, null, new TokenCache());
    string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
    AuthenticationResult result = null;
    result =  app.AcquireTokenForClientAsync(scopes).Result;
    Console.WriteLine(result.AccessToken);